cryptographic hash functions 01204427 june 2012. topics overview of cryptography hash function ...
TRANSCRIPT
Topics Overview of Cryptography Hash Function Usages Properties Hashing Function Structure Attack on Hash Function The Road to new Secure Hash Standard
3
Hash Function
The hash value represents concisely the longer message may called the message digest
A message digest is as a ``digital fingerprint'' of the original document
condenses arbitrary message to fixed sizeh = H(M)
Hashing V.S. Encryption
Hashing is one-way. There is no 'de-hashing’
Hello, world.A sample sentence to
show encryption.E
NhbXBsZSBzZW50ZW5jZSB0byBzaG93IEVuY3J5cHR
pb24KsZSBzZ
k
Hello, world.A sample sentence to
show encryption.D
NhbXBsZSBzZW50ZW5jZSB0byBzaG93IEVuY3J5cHR
pb24KsZSBzZ
k
Encryption is two way, and requires a key to encrypt/decrypt
52f21cf7c7034a2017a21e17e061a863
This is a clear text that can easily read without
using the key. The sentence is longer
than the text above.
Motivation for Hash Algorithms Intuition
Limitation on non-cryptographic checksum Very possible to construct a message that matches the
checksum Goal
Design a code where the original message can not be inferred based on its checksum
such that an accidental or intentional change to the message will change the hash value
Hash Function Applications Used Alone
Fingerprint -- file integrity verification, public key fingerprint Password storage (one-way encryption)
Combined with encryption functions Hash based Message Authentication Code (HMAC)
protects both a message's integrity and confideltaility Digital signature
Ensuring Non-repudiation Encrypt hash with private (signing) key and verify with public
(verification) key
Integrity
to create a one-way password file store hash of password not actual password
for intrusion detection and virus detection keep & check hash of files on system
Password Verification
Iam#4VKU
h
661dce0da2bcb2d82884e0162acf8194
Password store
Store Hashing Password
Iam#4VKU
h
661dce0da2bcb2d82884e0162acf8194
661dce0da2bcb2d82884e0162acf8194
Password store
Hash Matching Exactly?
Grant DenyYes No
Verification an input password against the stored hash
Topics Overview of Cryptography Hash Function Usages Properties Hashing Function Structure Attack on Hash Function The Road to new Secure Hash Standard
Hash Function Usages (I)
Message encrypted : Confidentiality and authentication
Message unencrypted: Authentication
Hash Function Usages (II)
Message encrypted : Authentication (no encryption needed!)
Message unencrypted: Authentication, confidentiality
Hash Function Usages (III)
Authentication, digital signature
Authentication, digital signature, confidentiality
Topics Overview of Cryptography Hash Function Usages Properties Hashing Function Structure Attack on Hash Function The Road to new Secure Hash Standard
Hash Function Properties Arbitrary-length message to fixed-length digest
Preimage resistant (One-way property)
Second preimage resistant (Weak collision resistant)
Collision resistant (Strong collision resistance)
Properties : Fixed length
Arbitrary-length message to fixed-length digest
Hello, world
This is a clear text that can easily read without
using the key. The sentence is longer than
the text above.
52f21cf7c7034a2017a21e17e061a863
Fixed length L
661dce0da2bcb2d82884e0162acf8194
Preimage resistant This measures how difficult to devise a message which hashes to the known
digest Roughly speaking, the hash function must be one-way.
Given only a message digest, can’t find any message (or preimage) that generates that digest.
Second preimage resistant
Given one message, can’t find another message that has the same message digest. An attack that finds a second message with the same message digest is a second pre-image attack.
It would be easy to forge new digital signatures from old signatures if the hash function used weren’t second preimage resistant
This measures how difficult to devise a message which hashes to the known digest and its message
Collision Resistant
Can’t find any two different messages with the same message digest Collision resistance implies second preimage resistance Collisions, if we could find them, would give signatories a way to repudiate their signatures
Topics Overview of Cryptography Hash Function Usages Properties Hashing Function Structure Attack on Hash Function The Road to new Secure Hash Standard
Two Group of Compression Functions The compression function is made from scratch
Message Digest
A symmetric-key block cipher serves as a compression function Whirlpool
Merkle-Damgard Scheme
Well-known method to build cryptographic hash function A message of arbitrary length is broken into blocks
length depends on the compression function f padding the size of the message into a multiple of the block size. sequentially process blocks , taking as input the result of the hash so far and the current
message block, with the final fixed length output
Hash Functions Family MD (Message Digest)
Designed by Ron Rivest Family: MD2, MD4, MD5
SHA (Secure Hash Algorithm) Designed by NIST Family: SHA-0, SHA-1, and SHA-2
SHA-2: SHA-224, SHA-256, SHA-384, SHA-512 SHA-3: New standard in competition
RIPEMD (Race Integrity Primitive Evaluation Message Digest) Developed by Katholieke University Leuven Team Family : RIPEMD-128, RIPEMD-160, RIPEMD-256, RIPEMD-320
MD2, MD4 and MD5
Family of one-way hash functions by Ronald Rivest All produces 128 bits hash value
MD2: 1989 Optimized for 8 bit computer Collision found in 1995
MD4: 1990 Full round collision attack found in 1995
MD5: 1992 Specified as Internet standard in RFC 1321 since 1997 it was theoretically not so hard to create a collision Practical Collision MD5 has been broken since 2004 CA attack published in 2007
Topics Overview of Cryptography Hash Function Usages Properties Hashing Function Structure
MD5 SHA
Attack on Hash Function The Road to new Secure Hash Standard
MD5 Overview
1. Append padding bits(to 448 mod 512)
2. Append length (64bits)
3. Initialize MD buffer (4x32 bits Word)Word A = 01 23 45 67Word B = 89 AB CD EFWord C = FE DC BA 98Word D = 76 54 32 10
The ith 32-bit word in matrix T, constructed from the sine function
M [q*16+k] = the kth 32-bit word from the qth 512-bit block of the msg
Single step
Topics Overview of Cryptography Hash Function Usages Properties Hashing Function Structure
MD5 SHA
Attack on Hash Function The Road to new Secure Hash Standard
Secure Hash Algorithm SHA originally designed by NIST & NSA in 1993
revised in 1995 as SHA-1 US standard for use with DSA signature scheme
standard is FIPS 180-1 1995, also Internet RFC3174 based on design of MD4 with key differences
produces 160-bit hash values recent 2005 results on security of SHA-1 have raised concerns
on its use in future applications
Revised SHA NIST issued revision FIPS 180-2 in 2002 adds 3 additional versions of SHA
SHA-256, SHA-384, SHA-512 designed for compatibility with increased security
provided by the AES cipher structure & detail is similar to SHA-1 hence analysis should be similar but security levels are rather higher
Sample Processing
Mac Intel 2.66 Ghz core i7 1024 bytes block of data
Type bits data processedMD5 128 469.7 MB/s SHA-1 160 339.4 MB/s SHA-512 512 177.7 MB/s
Padding and length field in SHA-512
What is the number of padding bits if the length of the original message is 2590 bits?
We can calculate the number of padding bits as follows:
The padding consists of one 1 followed by 353 0’s.
Topics Overview of Cryptography Hash Function Usages Properties Hashing Function Structure
MD5 SHA
Attack on Hash Function The Road to new Secure Hash Standard
Hash Function Cryptanalysis
cryptanalytic attacks exploit some property of algorithm so faster than exhaustive search
hash functions use iterative structure process message in blocks (incl length)
attacks focus on collisions in function f
Attacks on Hash Functions
brute-force attacks and cryptanalysis cryptanalytic attacks exploit some property of algorithm so faster than
brute-force a preimage or second preimage attack
find y such that H(y)equals a given hash value collision resistance
find two messages x & y with same hash so H(x) = H(y)
"md5 and sha1 are both clearly broken (in terms of collision-resistance” Ron Rivest
http://mail.python.org/pipermail/python-dev/2005-December/058850.html
"md5 and sha1 are both clearly broken (in terms of collision-resistance” Ron Rivest
http://mail.python.org/pipermail/python-dev/2005-December/058850.html
Topics Overview of Cryptography Hash Function Usages Properties Hashing Function Structure
MD5 SHA
Attack on Hash Function The Road to new Secure Hash Standard
The need of new Hash standard
MD5 should be considered cryptographically broken and unsuitable for further use, US CERT 2010
In 2004, a collision for the full SHA-0 algorithm was announced
SHA-1 not yet fully “broken” but similar to the broken MD5 & SHA-0 so considered insecure and be fade out
SHA-2 (esp. SHA-512) seems secure shares same structure and mathematical operations as
predecessors so have concern
SHA-3 Requirements
NIST announced in 2007 a competition for the SHA-3 next gen hash function
Replace SHA-2 with SHA-3 in any use so use same hash sizes
preserve the nature of SHA-2 so must process small blocks (512 / 1024 bits)
evaluation criteria security close to theoretical max for hash sizes cost in time & memory characteristics: such as flexibility & simplicity
Timeline Competition Nov 2007: Announce public competition Oct 2008: 64 Entries Dec 2008: 51 Entries as 1st Round Jul 2009: 14 Entries as 2nd Round Dec 2010: 5 Entries as 3rd Round Jan 2011: Final packages submission and enter public
comments 2012: SHA-3 winner announcement (Still in progress)
Five SHA-3 Finalists
BLAKE Grøstl JH Keccak Skien
http://csrc.nist.gov/groups/ST/hash/sha-3/Round3/submissions_rnd3.html
Summary Hash functions are keyless
Applications for digital signatures and in message authentication codes
The three security requirements for hash functions are one-wayness, second preimage resistance and collision resistance
MD5 and SHA-0 is insecure Serious security weaknesses have been found in SHA-1
should be phased out SHA-2 appears to be secure May use SHA-512 and use the first 256 bytes
The ongoing SHA-3 competition will result in new standardized hash functions in a next year